161 lines
10 KiB
HTML
161 lines
10 KiB
HTML
|
<?xml version="1.0" encoding="UTF-8"?>
|
||
|
<!DOCTYPE html
|
||
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
||
|
<html lang="en-us" xml:lang="en-us">
|
||
|
<head>
|
||
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
||
|
<meta name="security" content="public" />
|
||
|
<meta name="Robots" content="index,follow" />
|
||
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
||
|
<meta name="DC.Type" content="concept" />
|
||
|
<meta name="DC.Title" content="Security considerations" />
|
||
|
<meta name="abstract" content="This topic provides information about iSeries Access for Web security considerations." />
|
||
|
<meta name="description" content="This topic provides information about iSeries Access for Web security considerations." />
|
||
|
<meta name="DC.Relation" scheme="URI" content="rzammplan.htm" />
|
||
|
<meta name="DC.Relation" scheme="URI" content="rzammsso.htm" />
|
||
|
<meta name="DC.Relation" scheme="URI" content="rzammbrowserconsid.htm" />
|
||
|
<meta name="DC.Relation" scheme="URI" content="rzammcustpolicies.htm" />
|
||
|
<meta name="DC.Relation" scheme="URI" content="rzammportroles.htm" />
|
||
|
<meta name="DC.Relation" scheme="URI" content="../rzahu/rzahurazhudigitalcertmngmnt.htm" />
|
||
|
<meta name="copyright" content="(C) Copyright IBM Corporation 2003, 2006" />
|
||
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2003, 2006" />
|
||
|
<meta name="DC.Format" content="XHTML" />
|
||
|
<meta name="DC.Identifier" content="rzammsecurity" />
|
||
|
<meta name="DC.Language" content="en-us" />
|
||
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
||
|
<!-- US Government Users Restricted Rights -->
|
||
|
<!-- Use, duplication or disclosure restricted by -->
|
||
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
||
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
||
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
||
|
<title>Security considerations</title>
|
||
|
</head>
|
||
|
<body id="rzammsecurity"><a name="rzammsecurity"><!-- --></a>
|
||
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
||
|
<h1 class="topictitle1">Security considerations</h1>
|
||
|
<div><p>This topic provides information about iSeries™ Access for Web security considerations.</p>
|
||
|
<div class="section"><h4 class="sectiontitle">Authentication</h4><p>iSeries Access for Web needs to have
|
||
|
the user identity authenticated so that i5/OS™ resources are accessed with the correct
|
||
|
user profile. The methods of authenticating the user identity are different
|
||
|
for the Web application and the portal application.</p>
|
||
|
<dl><dt class="dlterm">Web application</dt>
|
||
|
<dd>The Web application can be configured to authenticate users or to allow WebSphere<sup>®</sup> to
|
||
|
authenticate users. <p>The Web application authenticates the user identity
|
||
|
with i5/OS using
|
||
|
a user profile and password. HTTP basic authentication is used to prompt for
|
||
|
a user profile and password. HTTP basic authentication encodes the user profile
|
||
|
and password, but does not encrypt them. To secure authentication information
|
||
|
during transmission, secure HTTP (HTTPS) should be used.</p>
|
||
|
<p>WebSphere authenticates
|
||
|
the user identity with the active user registry. WebSphere uses HTTP basic authentication
|
||
|
or form-based authentication to prompt for the user ID and password. HTTP
|
||
|
basic authentication encodes the user ID and password, but does not encrypt
|
||
|
them. Form-based authentication sends the user ID and password in clear text.
|
||
|
To secure authentication information during transmission, secure HTTP (HTTPS)
|
||
|
should be used.</p>
|
||
|
<p>Allowing WebSphere to authenticate the user
|
||
|
identity using form-based authentication enables the Web application to participate
|
||
|
in WebSphere single
|
||
|
sign-on (SSO) environments.</p>
|
||
|
<p>Once WebSphere has authenticated the user
|
||
|
identity, the Web application uses Enterprise Identity Mapping (EIM) to map
|
||
|
the authenticated WebSphere user identity to an i5/OS user identity.</p>
|
||
|
<p>For
|
||
|
information on iSeries Access
|
||
|
for Web and EIM, see the "Single sign-on considerations" topic. </p>
|
||
|
<p>For
|
||
|
information on WebSphere single
|
||
|
sign-on, see "Configure single sign-on" in the appropriate Information center
|
||
|
version. Links to WebSphere information centers are in the <a href="http://www.ibm.com/servers/eserver/iseries/software/websphere/wsappserver/" target="_blank"> IBM<sup>®</sup> WebSphere Application Server documentation</a>.</p>
|
||
|
</dd>
|
||
|
<dt class="dlterm">Portal application</dt>
|
||
|
<dd>The portal application relies on the portal server to authenticate the
|
||
|
user identity. <div class="p"><img src="./delta.gif" alt="Start of change" />Once the portal server has authenticated the
|
||
|
user identity, the iSeries Access portlets can be used. Each portlet
|
||
|
provides an option in edit mode for selecting the credential to use when accessing i5/OS resources.
|
||
|
Select one of these options:<dl><dt class="dlterm"><strong>Use credential specific to this portlet window</strong></dt>
|
||
|
<dd>An i5/OS user
|
||
|
profile and password are supplied for this portlet instance. This credential
|
||
|
cannot be used by other portal users or other portlet instances for the current
|
||
|
portal user.</dd>
|
||
|
<dt class="dlterm"><strong>Use credential set with iSeries Credentials portlet</strong></dt>
|
||
|
<dd>An i5/OS user
|
||
|
profile and password is selected from a list of credentials that were defined
|
||
|
using the iSeries Credentials
|
||
|
portlet. This credential can be used by other portlet instances for the current
|
||
|
portal user, but cannot be used by other portal users.</dd>
|
||
|
<dt class="dlterm"><strong>Use system shared credential set by administrator</strong></dt>
|
||
|
<dd>An i5/OS user
|
||
|
profile and password is selected from a list of credentials that were defined
|
||
|
by the portal administrator using the Credentials Vault administration function.
|
||
|
This credential can be used by all portal users.</dd>
|
||
|
<dt class="dlterm"><strong>Use authenticated WebSphere credential</strong></dt>
|
||
|
<dd>The authenticated portal environment user identity is mapped to an i5/OS user
|
||
|
identity using EIM. For information about iSeries Access for Web and EIM, see the
|
||
|
"Single sign-on considerations" topic. </dd>
|
||
|
</dl>
|
||
|
<img src="./deltaend.gif" alt="End of change" /></div>
|
||
|
<p>For information about how WebSphere Portal authenticates the
|
||
|
user identity, see <span class="menucascade"><span class="uicontrol">Securing your portal </span> > <span class="uicontrol">Security Concepts</span> > <span class="uicontrol">Authentication</span></span> in the <a href="http://publib.boulder.ibm.com/pvc/wp/502/smbi/en/InfoCenter/index.html" target="_blank"> WebSphere Portal Information Center</a>.</p>
|
||
|
</dd>
|
||
|
</dl>
|
||
|
</div>
|
||
|
<div class="section"><h4 class="sectiontitle">Restricting access to functions</h4><p>Users can be restricted
|
||
|
from accessing iSeries Access
|
||
|
for Web functions. Different methods of restricting access are used in the
|
||
|
Web application and the portal application.</p>
|
||
|
<p>For information on restricting
|
||
|
access to functions for the Web application, see the "Policies" topic. </p>
|
||
|
<p>For
|
||
|
information on restricting access to functions for the portal application,
|
||
|
see the "Portal roles" topic. </p>
|
||
|
</div>
|
||
|
<div class="section"><h4 class="sectiontitle">Object level security</h4><p>iSeries Access for Web uses object level
|
||
|
security when accessing i5/OS resources. Users will not be able to access i5/OS resources
|
||
|
if their i5/OS user
|
||
|
profile does not have the proper authority.</p>
|
||
|
</div>
|
||
|
<div class="section"><h4 class="sectiontitle">Secure HTTP (HTTPS)</h4><p>You can configure the iSeries server
|
||
|
to use a security protocol, called Secure Sockets Layer (SSL), for data encryption
|
||
|
and client/server authentication. For information about SSL, HTTPS, and digital
|
||
|
certificates, see the following:</p>
|
||
|
<ul><li>Security and SSL information in the <a href="http://www.ibm.com/eserver/iseries/software/http/docs/doc.htm" target="_blank">HTTP server documentation</a> <img src="www.gif" alt="Link outside Information Center" />.</li>
|
||
|
<li>Security and SSL information in the <a href="http://www.ibm.com/servers/eserver/iseries/software/websphere/wsappserver/docs/doc.htm" target="_blank">WebSphere Application Server documentation</a> <img src="www.gif" alt="Link outside Information Center" />.</li>
|
||
|
<li>Securing your portal in the <a href="http://publib.boulder.ibm.com/pvc/wp/502/smbi/en/InfoCenter/index.html" target="_blank">WebSphere Portal information center</a><img src="www.gif" alt="Link outside Information Center" />.</li>
|
||
|
<li><img src="./delta.gif" alt="Start of change" />Using digital certificates and the SSL to enable secure communications
|
||
|
for many applications in the <a href="../rzahu/rzahurazhudigitalcertmngmnt.htm">Digital Certificate Manager (DCM)</a> topic. <img src="./deltaend.gif" alt="End of change" /></li>
|
||
|
</ul>
|
||
|
</div>
|
||
|
<div class="section"><h4 class="sectiontitle">Exit programs</h4><p>iSeries Access for Web makes extensive
|
||
|
use of the following Host Servers:</p>
|
||
|
<ul><li>Signon</li>
|
||
|
<li>Central</li>
|
||
|
<li>Remote Command/Program Call</li>
|
||
|
<li>Database</li>
|
||
|
<li>File</li>
|
||
|
<li>Network Print</li>
|
||
|
</ul>
|
||
|
<p>Exit programs that restrict access to these servers, especially Remote
|
||
|
Command/Program Call, will cause all or portions of iSeries Access for Web to not function.</p>
|
||
|
</div>
|
||
|
</div>
|
||
|
<div>
|
||
|
<ul class="ullinks">
|
||
|
<li class="ulchildlink"><strong><a href="rzammsso.htm">Single sign-on considerations</a></strong><br />
|
||
|
Learn about considerations associated with using single sign-on in a Web application server environment.</li>
|
||
|
</ul>
|
||
|
|
||
|
<div class="familylinks">
|
||
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzammplan.htm" title="This topic contains conceptual information, considerations you need to be aware of, and checklists to help you get ready to use iSeries Access for Web.">Plan for iSeries Access for Web</a></div>
|
||
|
</div>
|
||
|
<div class="relconcepts"><strong>Related concepts</strong><br />
|
||
|
<div><a href="rzammbrowserconsid.htm">Browser considerations</a></div>
|
||
|
<div><a href="rzammcustpolicies.htm" title="The Customize Policies function controls access to iSeries Access for Web functions. Individual policy settings can be administered at the iSeries user and group profile level.">Policies</a></div>
|
||
|
<div><a href="rzammportroles.htm" title="Understand the WebSphere Portal role assignments used by iSeries Access portlets.">Portal roles</a></div>
|
||
|
</div>
|
||
|
<div class="relinfo"><strong>Related information</strong><br />
|
||
|
<div><a href="../rzahu/rzahurazhudigitalcertmngmnt.htm" target="_blank">Digital Certificate Manager (DCM)</a></div>
|
||
|
</div>
|
||
|
</div>
|
||
|
</body>
|
||
|
</html>
|